Wireless data networks are becoming more and more a reality for end-users, especially for corporate users who are nomadic by essence. Users and system administrators of the corporate world especially seek powerful, reliable and secure wireless data networks. These Wireless Local Area Networks (WLAN) will improve productivity with a real-time access to information regardless of worker position. They will also provide a cost effective network setup for locations which are hard to wire.
But the security is one of the most important issues when dealing with data transfer. When LANs were operated without any connection with the outside world and when the connections between computers were done using wires, security was a concern inside the company. Today, because LANs are interconnected with other LANs or Wide Area Networks (WAN) such as the Internet and also because the current trend for copper is to disappear, solving the security issue is important.
To secure a transmission, two basic steps are usually done: an encryption step and an authentication step. Each of these two steps is important: the encryption step ensures that the communication between the sender and the receiver will not be understood by a third party while the authentication ensures the receiver that the sender was the real one.
Encryption is usually achieved with algorithms that use a key to encrypt and to decrypt messages by turning data into unintelligible digital data and then by restoring it to its original form. The longer the key is, the more computing resources are required to complete the task. Encryption can be performed using at least two different schemes: a single key encryption and a public/private key encryption. With a single-key encryption, both the sender and receiver use the same key to encrypt and decrypt messages. The drawback is that the sender has to get the key from the receiver somehow, without it being intercepted. When using public/private keys, algorithms are used that encrypt messages with the public key and permits decryption only by the private key. User A can openly publish his “public” key, and if user B uses it to encrypt a message, the message turns into incomprehensible data that can only be decoded with user A's secret, “private” key.
A cornerstone of such a Wireless LAN system is the ability to inter-operate with products from different manufacturers. The Institute of Electrical and Electronics Engineers (IEEE) ratified the original 802.11 in 1997 as the standard for WLANs. In September 1999, the IEEE ratified the 802.11b, which offers an improvement in terms of speed, with transmissions up to 11 Mbps. This new and powerful standard ensures a bandwidth comparable with the one provided by Ethernet 10 Mbps. This wireless network operates in the 2.4 GHz ISM frequency band.
The wireless LAN described in the 802.11 standard is composed of two different elements: a mobile unit which is usually integrated in a PCMCIA type card and an access point (AP). The mobile unit contains the wireless elements that will ensure the wireless connectivity of the mobile user to the access point. Usually the access point can provide, using a gateway, a connection to another LAN or WAN such as the Internet. Such architecture enables a mobile user to access almost any network.
In standard 802.11, there are two different modes of communication: infrastructure mode and adhoc mode. In the infrastructure mode, the wireless network consists of at least one access point and one mobile unit. This configuration is referred to as a Basic Service Set (BSS); when more than one BSS are forming a sub network, an Extended Service Set (ESS) is created. The adhoc mode or peer-to-peer mode consists in a set of more than one mobile unit which communicate together directly without using an access point. This mode can be useful when information has to be transmitted directly between two users and when no access points are available.
The OSI data link layer is divided into two sub layers within standard IEEE 802.11: the Logical Link Control (LLC) and the Media Access Control (MAC). While the LLC sublayer is the same for IEEE 802.3 and IEEE 802.11, MAC sublayer is different in the two standards. In IEEE 802.11, Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) is used instead of Carrier Sense Multiple Access with Collision Detection (CSMA/CD) for IEEE 802.3. In order to avoid collision, CSMA/CA uses packet acknowledgement (ACK). The packet acknowledgement is used whenever a packet has been sent and well received by a destination to confirm the operation to the sender. This acknowledgement concept does not exist under standard 802.3. It is also worth noting that standard 802.11 implements two interesting features: a CRC checksum and a packet fragmentation operation. This CRC checksum allows the detection at the data link layer of an error, that was previously detected, under 802.3, at a higher layer. The packet fragmentation operation allows to dynamically modify the size of the packet to be transmitted in the ether, which can be necessary, especially when the system is overcrowded. This previously described features adds some overhead in comparison to the 802.3 MAC sublayer but ensures robustness of the standard.
However the frame added by the MAC sublayer still comprises the sender MAC address and the receiver MAC address.
The security of this IEEE 802.11 comprises an encryption mechanism and an access control. The encryption mechanism is known as the Wired Equivalent Protection (WEP) protocol and the access control ID is known as the ESSID (WLAN service ID). To access an access point, a mobile unit must have the ESSID identifier of this access point. The WEP consists in a RC4 encryption protocol with a 40 bit or 128 bit shared key. If the encryption is enabled, all data transmitted are encrypted including the authentication process. As mentioned previously, the encryption scheme used in WEP uses shared keys. These keys need to be entered by the user in order to access the system. The security developed within the system suffers from serious limitations, as it will be explained below.
First, as WEP is based upon a shared private key scheme, and as very few keys are available (4 keys are typically available), the network administrator must check and track efficiently the owner of each of the keys. The keys on each mobile units must match the keys in the access point; when a key is changed, the administrator must go on each user PC and configure the new keys. The size of the key is limited to 40 bits in one version of the standard. This size is very small and hardware could be implemented to crack such a key almost in real time, allowing an almost complete access to any communications in the WLAN access point.
Furthermore, WEP only protects the data portion of the OSI link layer. The physical layer transmissions are available for sniffing.
By default the encryption feature is turned off, this can allow a malicious roaming user to access corporate intranets that are not well configured.
At this OSI link layer level, there is no way to make a distinction between two different users that share the same key unless the MAC address of the user is used. It is also important to notice that, in some cases, the MAC address of the mobile unit can be reconfigured, meaning that a malicious user can access the traffic dedicated to another user.
Thus, in view of the foregoing elements, there is a need for a security enhancement in a Wireless LAN of the type according to 802.11 standard.